Date
June 19, 2025, 12:07 p.m.
| Environment | |
|---|---|
| qemu-arm64 | |
| qemu-x86_64 |
[ 32.996569] ================================================================== [ 32.996763] BUG: KASAN: use-after-free in mempool_uaf_helper+0x314/0x340 [ 32.997090] Read of size 1 at addr fff00000c63f0000 by task kunit_try_catch/244 [ 32.997238] [ 32.997336] CPU: 0 UID: 0 PID: 244 Comm: kunit_try_catch Tainted: G B N 6.16.0-rc2-next-20250619 #1 PREEMPT [ 32.997566] Tainted: [B]=BAD_PAGE, [N]=TEST [ 32.997650] Hardware name: linux,dummy-virt (DT) [ 32.998066] Call trace: [ 32.998144] show_stack+0x20/0x38 (C) [ 32.998307] dump_stack_lvl+0x8c/0xd0 [ 32.998415] print_report+0x118/0x608 [ 32.998511] kasan_report+0xdc/0x128 [ 32.998615] __asan_report_load1_noabort+0x20/0x30 [ 32.998738] mempool_uaf_helper+0x314/0x340 [ 32.998863] mempool_page_alloc_uaf+0xc0/0x118 [ 32.999415] kunit_try_run_case+0x170/0x3f0 [ 32.999705] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 33.000296] kthread+0x328/0x630 [ 33.000439] ret_from_fork+0x10/0x20 [ 33.000828] [ 33.000915] The buggy address belongs to the physical page: [ 33.001114] page: refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x1063f0 [ 33.001260] flags: 0xbfffe0000000000(node=0|zone=2|lastcpupid=0x1ffff) [ 33.001634] raw: 0bfffe0000000000 0000000000000000 dead000000000122 0000000000000000 [ 33.001988] raw: 0000000000000000 0000000000000000 00000001ffffffff 0000000000000000 [ 33.002429] page dumped because: kasan: bad access detected [ 33.002531] [ 33.002582] Memory state around the buggy address: [ 33.002667] fff00000c63eff00: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 33.002985] fff00000c63eff80: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 33.003274] >fff00000c63f0000: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 33.003558] ^ [ 33.003669] fff00000c63f0080: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 33.003832] fff00000c63f0100: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 33.004250] ================================================================== [ 32.907008] ================================================================== [ 32.907117] BUG: KASAN: use-after-free in mempool_uaf_helper+0x314/0x340 [ 32.907221] Read of size 1 at addr fff00000c63f0000 by task kunit_try_catch/240 [ 32.907281] [ 32.907346] CPU: 0 UID: 0 PID: 240 Comm: kunit_try_catch Tainted: G B N 6.16.0-rc2-next-20250619 #1 PREEMPT [ 32.907454] Tainted: [B]=BAD_PAGE, [N]=TEST [ 32.907488] Hardware name: linux,dummy-virt (DT) [ 32.907528] Call trace: [ 32.907556] show_stack+0x20/0x38 (C) [ 32.907617] dump_stack_lvl+0x8c/0xd0 [ 32.907675] print_report+0x118/0x608 [ 32.907732] kasan_report+0xdc/0x128 [ 32.907784] __asan_report_load1_noabort+0x20/0x30 [ 32.907843] mempool_uaf_helper+0x314/0x340 [ 32.909021] mempool_kmalloc_large_uaf+0xc4/0x120 [ 32.909478] kunit_try_run_case+0x170/0x3f0 [ 32.909919] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 32.909995] kthread+0x328/0x630 [ 32.910045] ret_from_fork+0x10/0x20 [ 32.910267] [ 32.910311] The buggy address belongs to the physical page: [ 32.910548] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x1063f0 [ 32.911079] head: order:2 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0 [ 32.911168] flags: 0xbfffe0000000040(head|node=0|zone=2|lastcpupid=0x1ffff) [ 32.911245] page_type: f8(unknown) [ 32.911400] raw: 0bfffe0000000040 0000000000000000 dead000000000122 0000000000000000 [ 32.911472] raw: 0000000000000000 0000000000000000 00000000f8000000 0000000000000000 [ 32.911646] head: 0bfffe0000000040 0000000000000000 dead000000000122 0000000000000000 [ 32.911767] head: 0000000000000000 0000000000000000 00000000f8000000 0000000000000000 [ 32.912013] head: 0bfffe0000000002 ffffc1ffc318fc01 00000000ffffffff 00000000ffffffff [ 32.912101] head: ffffffffffffffff 0000000000000000 00000000ffffffff 0000000000000004 [ 32.912343] page dumped because: kasan: bad access detected [ 32.912389] [ 32.912420] Memory state around the buggy address: [ 32.912487] fff00000c63eff00: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 32.912592] fff00000c63eff80: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 32.912680] >fff00000c63f0000: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 32.912727] ^ [ 32.912776] fff00000c63f0080: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 32.912964] fff00000c63f0100: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 32.913181] ==================================================================
[ 28.909500] ================================================================== [ 28.910259] BUG: KASAN: use-after-free in mempool_uaf_helper+0x392/0x400 [ 28.911608] Read of size 1 at addr ffff888102afc000 by task kunit_try_catch/262 [ 28.911888] [ 28.912201] CPU: 1 UID: 0 PID: 262 Comm: kunit_try_catch Tainted: G B N 6.16.0-rc2-next-20250619 #1 PREEMPT(voluntary) [ 28.912314] Tainted: [B]=BAD_PAGE, [N]=TEST [ 28.912341] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 [ 28.912432] Call Trace: [ 28.912463] <TASK> [ 28.912512] dump_stack_lvl+0x73/0xb0 [ 28.912591] print_report+0xd1/0x650 [ 28.912958] ? __virt_addr_valid+0x1db/0x2d0 [ 28.913083] ? mempool_uaf_helper+0x392/0x400 [ 28.913141] ? kasan_addr_to_slab+0x11/0xa0 [ 28.913180] ? mempool_uaf_helper+0x392/0x400 [ 28.913220] kasan_report+0x141/0x180 [ 28.913256] ? mempool_uaf_helper+0x392/0x400 [ 28.913290] __asan_report_load1_noabort+0x18/0x20 [ 28.913317] mempool_uaf_helper+0x392/0x400 [ 28.913342] ? __pfx_mempool_uaf_helper+0x10/0x10 [ 28.913366] ? __kasan_check_write+0x18/0x20 [ 28.913391] ? __pfx_sched_clock_cpu+0x10/0x10 [ 28.913416] ? finish_task_switch.isra.0+0x153/0x700 [ 28.913444] mempool_page_alloc_uaf+0xed/0x140 [ 28.913469] ? __pfx_mempool_page_alloc_uaf+0x10/0x10 [ 28.913497] ? __pfx_mempool_alloc_pages+0x10/0x10 [ 28.913523] ? __pfx_mempool_free_pages+0x10/0x10 [ 28.913550] ? __pfx_read_tsc+0x10/0x10 [ 28.913574] ? ktime_get_ts64+0x86/0x230 [ 28.913601] kunit_try_run_case+0x1a5/0x480 [ 28.913629] ? __pfx_kunit_try_run_case+0x10/0x10 [ 28.913652] ? _raw_spin_lock_irqsave+0xa1/0x100 [ 28.913678] ? _raw_spin_unlock_irqrestore+0x5f/0x90 [ 28.913701] ? __kthread_parkme+0x82/0x180 [ 28.913725] ? preempt_count_sub+0x50/0x80 [ 28.913749] ? __pfx_kunit_try_run_case+0x10/0x10 [ 28.913773] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 28.913798] ? __pfx_kunit_generic_run_threadfn_adapter+0x10/0x10 [ 28.913823] kthread+0x337/0x6f0 [ 28.913844] ? trace_preempt_on+0x20/0xc0 [ 28.913869] ? __pfx_kthread+0x10/0x10 [ 28.913891] ? _raw_spin_unlock_irq+0x47/0x80 [ 28.914202] ? calculate_sigpending+0x7b/0xa0 [ 28.914253] ? __pfx_kthread+0x10/0x10 [ 28.914292] ret_from_fork+0x116/0x1d0 [ 28.914316] ? __pfx_kthread+0x10/0x10 [ 28.914338] ret_from_fork_asm+0x1a/0x30 [ 28.914373] </TASK> [ 28.914386] [ 28.933363] The buggy address belongs to the physical page: [ 28.933895] page: refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x102afc [ 28.935161] flags: 0x200000000000000(node=0|zone=2) [ 28.935618] raw: 0200000000000000 0000000000000000 dead000000000122 0000000000000000 [ 28.936550] raw: 0000000000000000 0000000000000000 00000001ffffffff 0000000000000000 [ 28.937402] page dumped because: kasan: bad access detected [ 28.937780] [ 28.938514] Memory state around the buggy address: [ 28.938831] ffff888102afbf00: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 28.939717] ffff888102afbf80: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 28.940161] >ffff888102afc000: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 28.941152] ^ [ 28.941732] ffff888102afc080: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 28.942627] ffff888102afc100: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 28.943000] ================================================================== [ 28.792721] ================================================================== [ 28.793283] BUG: KASAN: use-after-free in mempool_uaf_helper+0x392/0x400 [ 28.793731] Read of size 1 at addr ffff888102afc000 by task kunit_try_catch/258 [ 28.794414] [ 28.794617] CPU: 1 UID: 0 PID: 258 Comm: kunit_try_catch Tainted: G B N 6.16.0-rc2-next-20250619 #1 PREEMPT(voluntary) [ 28.794728] Tainted: [B]=BAD_PAGE, [N]=TEST [ 28.794758] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 [ 28.794810] Call Trace: [ 28.794839] <TASK> [ 28.794880] dump_stack_lvl+0x73/0xb0 [ 28.795080] print_report+0xd1/0x650 [ 28.795155] ? __virt_addr_valid+0x1db/0x2d0 [ 28.795184] ? mempool_uaf_helper+0x392/0x400 [ 28.795209] ? kasan_addr_to_slab+0x11/0xa0 [ 28.795232] ? mempool_uaf_helper+0x392/0x400 [ 28.795256] kasan_report+0x141/0x180 [ 28.795280] ? mempool_uaf_helper+0x392/0x400 [ 28.795307] __asan_report_load1_noabort+0x18/0x20 [ 28.795335] mempool_uaf_helper+0x392/0x400 [ 28.795359] ? __pfx_mempool_uaf_helper+0x10/0x10 [ 28.795385] ? __pfx_sched_clock_cpu+0x10/0x10 [ 28.795411] ? finish_task_switch.isra.0+0x153/0x700 [ 28.795439] mempool_kmalloc_large_uaf+0xef/0x140 [ 28.795463] ? __pfx_mempool_kmalloc_large_uaf+0x10/0x10 [ 28.795490] ? __pfx_mempool_kmalloc+0x10/0x10 [ 28.795515] ? __pfx_mempool_kfree+0x10/0x10 [ 28.795541] ? __pfx_read_tsc+0x10/0x10 [ 28.795564] ? ktime_get_ts64+0x86/0x230 [ 28.795591] kunit_try_run_case+0x1a5/0x480 [ 28.795618] ? __pfx_kunit_try_run_case+0x10/0x10 [ 28.795641] ? _raw_spin_lock_irqsave+0xa1/0x100 [ 28.795667] ? _raw_spin_unlock_irqrestore+0x5f/0x90 [ 28.795692] ? __kthread_parkme+0x82/0x180 [ 28.795714] ? preempt_count_sub+0x50/0x80 [ 28.795739] ? __pfx_kunit_try_run_case+0x10/0x10 [ 28.795764] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 28.795788] ? __pfx_kunit_generic_run_threadfn_adapter+0x10/0x10 [ 28.795812] kthread+0x337/0x6f0 [ 28.795834] ? trace_preempt_on+0x20/0xc0 [ 28.795858] ? __pfx_kthread+0x10/0x10 [ 28.795881] ? _raw_spin_unlock_irq+0x47/0x80 [ 28.795920] ? calculate_sigpending+0x7b/0xa0 [ 28.795955] ? __pfx_kthread+0x10/0x10 [ 28.797014] ret_from_fork+0x116/0x1d0 [ 28.797087] ? __pfx_kthread+0x10/0x10 [ 28.797133] ret_from_fork_asm+0x1a/0x30 [ 28.797169] </TASK> [ 28.797183] [ 28.809306] The buggy address belongs to the physical page: [ 28.809591] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x102afc [ 28.809936] head: order:2 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0 [ 28.810691] flags: 0x200000000000040(head|node=0|zone=2) [ 28.812501] page_type: f8(unknown) [ 28.812742] raw: 0200000000000040 0000000000000000 dead000000000122 0000000000000000 [ 28.813263] raw: 0000000000000000 0000000000000000 00000000f8000000 0000000000000000 [ 28.813431] head: 0200000000000040 0000000000000000 dead000000000122 0000000000000000 [ 28.813576] head: 0000000000000000 0000000000000000 00000000f8000000 0000000000000000 [ 28.813718] head: 0200000000000002 ffffea00040abf01 00000000ffffffff 00000000ffffffff [ 28.813858] head: ffffffffffffffff 0000000000000000 00000000ffffffff 0000000000000004 [ 28.814272] page dumped because: kasan: bad access detected [ 28.814832] [ 28.815092] Memory state around the buggy address: [ 28.815599] ffff888102afbf00: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 28.816174] ffff888102afbf80: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 28.816582] >ffff888102afc000: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 28.816849] ^ [ 28.817572] ffff888102afc080: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 28.818394] ffff888102afc100: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 28.819018] ==================================================================